使用Kyverno和Notary在GitOps中摆脱安全链攻击 | KC23
Kicking Security Chain Attacks to the Curb with Kyverno and Notary... - Shuting Zhao & Feynman Zhou
使用Kyverno和Notary在GitOps中摆脱安全链攻击 | Kicking Security Chain Attacks to the Curb with Kyverno and Notary in GitOps - Shuting Zhao, Nirmata & Feynman Zhou, Microsoft
由于供应链倡议推动了对容器镜像的分发分离签名和签名SBOM的需求,需要引用类型来补充OCI注册表中的信息。借助OCI v1.1规范中的引用API的支持,将软件供应链工件与容器镜像关联变得非常容易,在内容分发中。它还允许像Kyverno这样的策略工具在部署前使用供应链工件的数据进行安全检查。现代的Kubernetes部署包含多个应用程序、集群和环境,尤其是在大型组织中。如何验证图像的完整性、安全性和合规性,以便规模化管理应用程序?在本次会议中,Feynman Zhou和Shuting Zhao将展示如何使用CNCF项目(如Notary、Kyverno和ORAS)建立容器镜像的信任,并验证资源。他们将演示如何在GitOps中实施这些工具,以提高软件供应链的安全性。
As supply chain initiatives drove the need for distributing detached signatures for container images and signed SBOM, reference types are required to supplement the information to the OCI registry. With the support of referrers API in OCI v1.1 Spec, it becomes extremely easy to associate software supply chain artifacts with container images in content distribution. It also allows policy tools like Kyverno to consume the supply chain artifact’s data for security checks pre-deployment. Modern Kubernetes deployments contain multiple applications, clusters, and environments, especially in large organizations. How to verify the image integrity, security, and compliance to manage applications at scale? In this session, Feynman Zhou and Shuting Zhao will showcase how you can establish trust for container images and verify resources using CNCF projects like Notary, Kyverno, and ORAS. They will demonstrate how to implement these tools in GitOps to improve software supply chain security.
CNCF概况(幻灯片)
扫描二维码联系我们!
CNCF (Cloud Native Computing Foundation)成立于2015年12月,隶属于Linux Foundation,是非营利性组织。
CNCF(云原生计算基金会)致力于培育和维护一个厂商中立的开源生态系统,来推广云原生技术。我们通过将最前沿的模式民主化,让这些创新为大众所用。请关注CNCF微信公众号。